Professional Documents
Culture Documents
Table of Contents
Introduction Page 3 Cyber Crime Page 3 Contact Centers and Identity Theft Page 3 Payment Card Industry Response Page 4 PCI-DSS Requirements Impacting Call Recording Page 5 Other PCI-DSS Requirements that Impact Call Recording Page 6 Alternative 1 - Cease Recording Page 7 Alternatives 2 and 3 - Agent-driven Compliance Page 7 Alternative 4 - Transfers to Third Party Devices Page 8 Alternative 5 - Do Nothing Page 8 Alternative 6 - Invest in Intelligent Call Recording Systems Page 8 VPI Solution Page 8 Consequences of Non Compliance Page 10 Advisable Best Practices Page 11 Advisable Best Practices for Securing At-Home Agents Page 12 Dilemma for Contact Centers Page 12 Telemarketing Sales Rule Page 13 FSA Rules Page 13 BASEL II Page 13 Sarbanes-Oxley Act Page 13 Gramm Leach Bliley Finacial Services Modernization Act Page 13 TILA and FDCPA Acts Page 13 Barclaycard Guidance Page 14 Executive Summary About the Author About VPI Page 14 Page 15 Page 15
Introduction
Identity theft was the number one source of consumer complaints to the Federal Trade Commission (FTC) in 2007. Estimates by private market research firms peg the incidence of identity theft as high as 15 million consumers. The most common form of identity theft, according to the FTC, is the misuse of credit and debit card accounts. Approximately 3.4 million adults can expect to have their payment card data compromised every year. When credit card identities are stolen, its not just the credit card companies that are left holding the bag cardholders often face economic losses, lengthy legal battles and struggles to reestablish clean credit records. While for most consumers the impact is modest, according to the FTC one out of twenty victims suffer median out of pocket loses of $400 and spend 60 hours trying to clean up the mess that resulted. Approximately 3.4 million adults can expect to have their payment card data compromised every year. One out of twenty victims suffer median out of pocket loses of $400 and spend 60 hours trying to clean up the mess that resulted.
- FTC
Cyber Crime
For today s high-tech thieves, software is a much more productive and arguably less risky way to take other peoples money than dumpster-diving for card receipts or picking pockets. A class of software known generally as malware can unsuspectingly creep into data bases and extract hundreds of thousands of account identifiers. Malware is also spread by propagating a worm or virus or by making the malware available on a web site that exploits a security vulnerability. Common techniques include phishing, key and screen loggers, and SQL injection attacks. According to The Crimeware Landscape: Malware, Phishing, Identity Theft and Beyond, a report published by the U.S. Department of Homeland Security in 2006, Credible estimates of the direct financial losses due to phishing alone exceed a billion dollars per year. The largest security breach to date was disclosed in January 2009. The case involved Heartland Payment Systems Inc. Heartland processes more than 100 million card transactions per month for 250,000 clients. On August 17, 2009 Albert Gonzalez, 28, of Miami Florida was charged by the Department of Justice with stealing data from 130 million debit and credit card holders. According to the indictment, Gonzales and international coconspirators used an intricate hacking technique called an SQL injection attack, which seeks to exploit a computer network by finding a way around firewalls to steal credit and debit card information. It turns out that Gonzales and his thugs were also responsible for the highly publicized intrusion of TJ Maxx card holders. Heartland expensed $144.2 million to consummate the settlement of claims.
Credible estimates of the direct financial losses due to phishing alone exceed a billion dollars per year.
- U.S. Department of Homeland Security
In 2006, an employee at the HSBC Data Processing Center in Bangalore, India was arrested for allegedly passing personal customer information. As a result UK bank customers lost approximately USD$425,000.
In order to reduce fraud, the Payment Card Industry (PCI), which consists of American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc. established the PCI Security Standards Council in September 2006.
In the first example, Symantec followed up with a thorough investigation of the underground economy. Among the findings from their 68-page report was that the BBC reporters grossly overpaid for customer card data. Quoting from the report, Credit cards are also typically sold in bulk, with lot sizes from as few as 50 credit cards to as many as 2,000. Common bulk amounts and rates observed by Symantec during this reporting period were 50 credit cards for $40 ($0.80 each), 200 credit cards for $150 ($0.75 each), and 2,000 credit cards for $200 ($0.10 each).
The Council subsequently issued a Data Security Standard (PCI-DSS) which details security requirements for members, merchants and service providers that store, process or transmit cardholder data. The original PCI regulations specifically forbade storing primary account numbers (PAN), PIN numbers, service codes, expiration dates, and other specified identifiers unless they met PCI-DSS encryption standards. Payment processors, service providers and merchants that process more than 20,000 e-commerce transactions and over one million regular transactions are required to engage a PCI-approved Qualified Security Assessor (QSA) to conduct a review of their information security procedures and scan their Internet points of presence on a regular basis. However, no organization that accepts cards issued by the founding members of the council is exempt from compliance. While the standard is primarily aimed at cardholder information in data bases, contact centers can easily become unsuspecting violators. This is because of the practice of collecting and entering card data into order entry systems and archiving private customer information in call and data recording systems. Initially, the PCI-DSS allowed the voice and data recording and storage of sensitive card information provided that certain safeguards were in place, such as encryption, firewalls, and need to-know authorizations. The precise levels of encryption are spelled out in the standard as are data categories that may be stored when properly encrypted. Payment processors, service providers and merchants that process more than 20,000 e-commerce transactions and over one million regular transactions are required to engage a PCI-approved Qualified Security Assessor (QSA) to conduct a review of their information security procedures and scan their Internet points of presence
On October 28, 2010 the Standards Security Council issued a clarification that states that it is a violation of the PCI-DSS to store card validation codes and the full contents of and track from the magnetic stripe located on the back of the card.
The card validation value code is the three or four digit number that is usually imprinted next to the signature line on the back of the payment card. On American Express cards, the security code is on the face of the card. The Card Verification Code (referred to as CAV2, CVC2, CVV2, or CID) must not be retained post authorization, cannot be stored in a standard digital audio or video format (e.g. wav, mp3, mpg, etc.), and a proper disposal procedure must be in place. If the recording solution cannot block the audio or video from being stored, the code must be deleted from the recording if it is initially recorded. 5
When it is absolutely necessary that your organization retain card verification codes, you will need to demonstrate to your QSA (Qualified Security Assessor) and your acquiring bank that:
You perform, facilitate or support issuing services - it is allowable for these types of organizations to store sensitive authentication data only if they have a legitimate business need to store such data. It should be noted that all PCI-DSS requirements apply to issuers, and the only exception for issuers and issuer processors is that sensitive authentication data may be retained if there is a legitimate reason to do so. A legitimate reason is one that is necessary for the performance of the function being provided for the issuer and not one of convenience. Any such data must be stored securely and in accordance with PCI-DSS and specific payment brand requirements.
Telephone order takers require the validation code as well as the PAN (Primary Account Number) and expiration date in order to secure authorization from the card issuer. Without that number, cyber thieves cannot make eCommerce purchases or illegally transfer funds out of the cardholders accounts. The standards committee made the change because of the availability of sophisticated malware that could penetrate encryption algorithms. The latest PCI-DSS standards require that PAN must be rendered unreadable anywhere it is stored (including on portable digital media, backup media, and in logs) by using any of the following approaches: One-way hashes based on strong cryptography (hash must be of the entire PAN) Truncation (hashing cannot be used to replace the truncated segment of PAN Index tokens and pads (pads must be securely stored) Strong cryptography with associated key-management processes and procedures Note: It is a relatively trivial effort for a malicious individual to reconstruct original PAN data if they have access to both the truncated and hashed version of a PAN. Where hashed and truncated versions of the same PAN are present in an entitys environment, additional controls should be in place to ensure that the hashed and truncated versions cannot be correlated to reconstruct the original PAN. Telephone order takers require the validation code as well as the PAN (Primary Account Number) and expiration date in order to secure authorization from the card issuer. Without that number, cyber thieves cannot make eCommerce purchases or illegally transfer funds out of the cardholders accounts.
Requirements 10 and Subsection 10.1 require card acceptors to track and monitor all access to network resources and card holder data and establish a process for linking all access to system components to each individual user. Requirement 10 and Subsection 10.2 require card acceptors to implement automated audit trails for all system components to reconstruct events such as user access to cardholder data, access to audit trails, use of authentication mechanisms, and the like. If an important part of the agents job is to accept and/or solicit sales, then the question becomes: how do we prevent recording and storing of sensitive authentication data and the full contents of any magnetic stripe track? You must be able to manage call quality and there are laws and regulations that many centers, particularly outbound, need to comply with. Full-time recording is the only way to measure compliance.
Available Alternatives
Alternative 1: Cease recording all sales and transaction calls. Alternative 2: Train agents to disable the recording function when card data is required then
Alternative 3: Require agents to delete the section of the recording that includes the authorization code. Alternative 4: Third-party devices that require the caller to enter card details via their touchtone pad. Alternative 5: Do nothing. Alternative 6: nvest in call recording systems that automatically mask and mute sensitive card details. I
Alternative 5 - Do Nothing
The do nothing option appears to be the favored choice at this point. In the 2009 Data Breach Investigations Report conducted by the Verizon Business RISK Team researchers uncovered 90 confirmed breaches within their 2008 caseload encompassing an astounding 285 million compromised records and 81% of businesses were not Payment Card Industry (PCI) compliant. The most common form of data breach was compromised payment cards, with retail and financial services accounting for six out of ten of the security breaches. A 2009 poll of United Kingdom call center managers found that more than 19 in 20 call centers do not delete or mask credit card details in their call recordings, which is a violation of the Payment Card Industry Data Security Standard. Of the 133 call center managers contacted for the survey, only 3 percent indicated compliance with the guidelines. Among the reasons for failing to abide by PCI-DSS, 61 percent said they were unaware of the standards, 18 percent were aware but said they couldnt comply for technical or budgetary reasons, 11 percent were aware but chose not to follow them, and 6 percent were aware and were working toward compliance. A 2009 poll of United Kingdom call center managers found that more than 19 in 20 call centers do not delete or mask credit card details in their call recordings, which is a violation of the Payment Card Industry Data Security Standard.
Alternative 6 - Invest in Call Recording Systems that Automatically Mute and Mask Sensitive Card Details
A handful of leading call recording vendors have developed truly integrated solutions. With the VPI solution; for example, the recorder uses desktop analytics to monitor application screens in use by the agent during the interaction (to include CRM, sales automation or other applications) to automatically sense when the agent is entering screens or fields where sensitive information must be entered, without the need for a costly back-end integration to those systems. A handful of leading call recording vendors have developed truly integrated solutions. With the VPI solution; for example, the recorder uses desktop analytics to monitor
The VPI Fact Finder desktop analytics application can detect when an agent enters a screen with sensitive information, when sensitive information is inputted, and when they leave a screen containing sensitive information.
application screens in use by the agent during the interaction to automatically sense when the agent is entering screens or fields where sensitive information must be entered, without the need for a costly back-end integration to those systems.
ID, DNIS, sales or collections $ amount, number of transfers, or even handle time of key processes within the call that led up to the successful transaction, is made available in interactive reports and analysis of key business issues and opportunities.
VPI solution has the ability to mute out the audio and mask out the screen video during segments of the call containing sensitive data upon playback
Option 4 - Permanent muting/masking during segments of the call containing sensitive info
For organizations that do not have a justifiable need to review or keep entire recordings for liability and other regulatory reasons, VPI is creating a solution to permanently mask and mute sensitive audio and screen video that will comply with the most stringent of the PCI requirements. In this case, the audio and video of segments containing sensitive card holder information will be deleted, prior to storage of recordings and unavailable to all system users regardless of user authorization privileges. NOTE: VPI expects to make this feature generally available in 2011. Timeline for this feature is subject to change) 9
VPI Response to Requirement 4 Encrypt transmission of cardholder data across open networks
The intent of strong cryptography is that the encryption be based on an industry-tested and accepted algorithm (not a proprietary or home-grown algorithm). VPI supports AES 256 data and file encryption using strong cryptography as well as secure protocols including Secure Socket Layer, Transport Layer Security (SSL/TLS) or Internet Protocol Security (IPSEC) to provide secure transmission of recorded voice and screen recordings and associated data over the network. (Requirement 4.1)
VPI supports AES 256 data and file encryption using strong cryptography as well as secure protocols including Secure Socket Layer, Transport Layer Security (SSL/TLS) or Internet Protocol Security (IPSEC) to provide secure transmission of recorded voice and screen recordings and associated
VPI Response to Requirement 7 Restrict access to card holder data by business need-to- know
The VPI system is capable of supporting a granular definition of access rights for large number of user types which allows for greater control over system user Roles and Privileges, such as the ability to search for and playback media files which contain sensitive data as identified by the VPI Fact Finder desktop analytics tool.
VPI Response to Requirement 8 Assign a unique ID to each person with computer access
The VPI system has unique user system log-in with an audit trail showing who has logged into the system, searched for calls, played back or exported calls and when. The status of all activities can be also monitored in heat maps that present audit log data in a visual, easy-to-analyze manner.
VPI Response to Requirement 10 Track and monitor all access to network resources and card holder data
This is achieved by providing an audit trail of all user activities linking specific actions to specific users, thereby providing high degree of visibility and transparency. (Requirement 10.1) The VPI system also provides an interface for reconstructing events user actions can be searched, categorized, sorted, reported and viewed by user or activity type. They can be visualized in heat maps by category. (Requirement 10.2)
Consequences of Non-Compliance
Non-compliance risks revocation of card acceptance privileges and violation of state laws. Loss of card acceptance privileges could easily spell the death knell for retailers, service providers, and collection agencies. In fact, it is difficult to think of any type of business, nonprofit, or government revenue collection entity that does not rely on payment cards. The card issuers have the authority to revoke card privileges through their contracts. The other possibility is violation of state laws. As of this time, three states; Minnesota, Nevada, and Washington, have codified payment card industry data security standards. Quoting from the Washington state law, A processor, business, or vendor will be considered compliant, if its payment card industry data security compliance was validated by an annual security assessment, and if this assessment took place no more than one year prior to the time of the breach. This requirement is not contingent on the volume of transactions. The Nevada law requires that companies doing business in the state of Nevada that accept payment cards must be compliant with the Payment Card Industry Data Security Standard (PCI-DSS). The law also requires that companies retaining personal data, including Social Security numbers (SSNs), drivers license numbers or account numbers together with passwords must use encryption if they send the information outside of the company. The Nevada law is reported to be the only law that actually mandates PCI-DSS compliance. The language doing business in the state of Nevada is very broad and presumably could include companies not domiciled in the state. Other states are considering legislation that would codify PCI-DSS. 10 Non-compliance risks revocation of card acceptance privileges and violation of state laws. Loss of card acceptance privileges could easily spell the death knell for retailers, service providers, and collection agencies. In fact, it is difficult to think of any type of business, nonprofit, or government revenue collection entity that does not rely on payment cards. contracts.
If you are working with outsourcers, remember that PCI-DSS is an international requirement. The outsourcer must also be compliant.
Ensure that employees do not share user IDs and passwords. Each user must be uniquely identified by their own login credentials. This information should be encrypted when stored in any computer systems.
VPI supports AES 256 data and file encryption using strong cryptography as well as secure protocols including Secure Socket Layer, Transport Layer Security (SSL/TLS) or Internet Protocol Security (IPSEC) to provide secure transmission of recorded voice and screen recordings and associated data over the network.
11
1. Be sure that the same level of firewall, corporate anti-virus protection, security patches, and definition files are extended to remote agents and supervisors PCs. (Requirements 1.4, 5.1 and 6.1) 2. Remote workers should be forbidden from copying, moving, and storing cardholder data onto hard drives or moveable electronic media when accessing cardholder data. (Requirement 12.3.10) 3. Ensuring remote agents and supervisors use a two-factor authentication process. (Requirement 8.3) 4. Use strong network encryption protocols such as Secure Socket Layer and Transport Layer Security (SSL/TLS) or Internet Protocol Security (IPSEC) to provide secure transmission of the VoIP voice stream and data over the public network. (Requirement 4.1) 5. Ensure each at home agent and supervisor is using a VPN connection into the corporate network with strong encryption protocols such as SSL/TLS. (Requirement 4.1) 6. Require remote agents and supervisors to encrypt their wireless networks using strong cryptography (Requirement 2.1.1 and 4.1.1). As of June 30, 2010, the Wired Equivalent Privacy (WEP) protocol is no longer permissible for any new wireless implementations (Requirement 4.1). The use of WPA2 is recommended. 7. If not using an enterprise VoIP-based telephone solution, require agents to use analogue telephone lines when talking with customers. 8. At-home agents should not use consumer VoIP telephone systems (such as Vonage) because their communications may not be encrypted. (Requirement 4.2) 9. Ensure that payment card information is never sent over an unencrypted medium such as chat, SMS/text or email or other non-encrypted communication channels. 10. Ensuring that at-home agent and supervisor PCs have personal firewalls installed and operational. (Requirement 1.4) 11. Ensure that at-home agent and supervisor PCs have the latest approved security patches installed. 12. Require agents and supervisors to use only company-supplied systems. (Requirement 12.3) 13. Monitor at-home agents more often than in-house agents. (Requirement 12.3) 14. Annually review all security policies and procedures with all agents and require at-home agents. to acknowledge the security requirements as part of their daily sign-in process. (Requirement 12.6)
one of a growing list of laws, regulations, and industry standards that contact centers need to consider. There are several regulations that require or strongly recommend that calls be recorded in their entirety.
12
The United Kingdom Financial Services Authority (FSA) published rules in March of 2009 requiring firms to record telephone conversations and other electronic communications including email and instant messages relating to trading orders and the conclusion of transactions in the equity, bond, and derivatives markets.
BASEL II
BASEL II recommendations and policies, developed by the BASEL committee consisting of representatives from all G-20 major economies as well as other major banking locales such as Hong Kong and Singapore, prescribes that banks and their outsourced contact centers implement Operational Risk Management practices. The BASEL committee defines operational risk as the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events. In order to protect from the official event types defined by BASEL II, including Internal Fraud (misappropriation of assets, tax evasion, intentional mismarking of positions, bribery), External Fraud (theft of information), Employment Practices and Workplace Safety (discrimination, workers compensation, employee health and safety), Clients, Products, & Business Practice- market manipulation, antitrust, improper trade, product defects, fiduciary breaches, account churning), and Execution, Delivery, & Process Management (data entry errors, accounting errors), many banks require full-time call recording and long-term storage of their recorded interactions.
Sarbanes-Oxley Act
The Sarbanes-Oxley Act extensive guidelines for the documentation of business processes and transactions, mandating that businesses create and maintain electronic records as part of their regular business processes. To help ensure compliance with Sarbanes-Oxley, many organizations currently record and store all their calls in their entirety. Maintaining an electronic record of telephone calls in the 13
same manner as emails helps to ensure compliance with Sarbanes-Oxley and simplifies the discovery and auditing processes, reducing the potential for abuse or mistakes.
Truth in Lending Act (TILA) & Fair Debt Collections Practices Act (FDCPA) Acts
Full-time call recording is also frequently mandated to ensure contact center employees are accurately disclosing information required by the Truth in Lending Act and complying with collection practices required by the Fair Debt Collections Practices Act.
Barclaycard Guidance
Balancing the need for PCI compliance with other regulations, laws and risk management requirements with the quality management requirements can pose a dilemma. Barclaycard prepared a very informative white paper that, among other things, advises that: Call centre managers will need to ensure that the PAN is masked when displayed (i.e. first 6 and last 4 digits). This is part of requirement 3.3 and may include: Restraint access to QA/recording and CRM data containing payment card data based on the users log-in account and corporate role; for example, providing screen recording playback interfaces where the payment card information is displayed only to the managers and compliance officers during legal discovery, and have it blacked out (masked) for all other supervisors and QA specialists. Segmenting contact centre operations so that a limited number of agents have access to payment card data; for example, payment card information may be entered by a sales agent but a customer service representative will only have access to the masked PAN. Readers are encouraged to read the entire paper for more suggestions.
Executive Summary
Identity theft is a massive problem in the United Sates and globally. In response, the payment card industry has established clear rules to help assure that critical financial and identification data is protected from menaces both outside and within the enterprise. The PCI-DSS requirements must be adhered to by every organization - regardless of size - that accepts payment cards. There are direct impacts on contact enters, which in the past have proved to be fertile grounds for extracting payment card details from unsuspecting customers. In this paper we highlighted some sound practices to help assure data security. We also noted that the widespread practice of recording vice and data interactions may result in a breach of the data security standards and even a violation of certain state statues unless important precautions are taken. Choosing to 14
abandon interaction recording altogether or limit it to non-transactional calls is not an option. Besides the obvious need to assure consistent call quality there are many other laws And regulations where recording is a legal requirement or the only practical means of establishing compliance. It is important that any call recording system purchased now can cope with both current and future changes in laws and industry standards and that the recording solution facilitate best practices. Suppliers must be able to prove that their products will help you assure compliance today and have the flexibility to adapt to future changes. The best solution is to avoid recording of the validation code altogether, after approval. The VPI solution provides this option. It is important that any call recording system purchased now can cope with both current and future changes in laws and industry standards and that the recording solution facilitate best practices. Suppliers must be able to prove that their products will help you assure compliance today and have the flexibility to adapt to future changes.
About VPI
VPI is the worlds premier provider of call recording, analytics and workforce optimization solutions for enterprises, contact centers, trading floors, government agencies, and first responders. For more than a decade, VPI has been providing proven technology and superior service to more than 1,500 customers in 50 countries. VPIs award-winning VPI EMPOWER software is an essential component for any organization that strives to enhance the customer experience, increase workforce performance, improve business efficiency and manage compliance. VPI EMPOWER leverages VPI Fact Finder, a ground-breaking desktop screen analytics technology that automatically detects events and data directly from application screens being used by employees and tags them to appropriate points within recorded interactions. With VPI EMPOWER, organizations of all sizes now have the ability to rapidly identify the root cause of important trends and issues via targeted analysis and evaluation from anywhere all from an intuitive, personalized Web-based portal interface. In addition, the secure solution leverages advanced file and data encryption, is built around the principles of open, service-oriented architecture, and is platform independent to integrate seamlessly into any existing and evolving infrastructure in just weeks, resulting in compound reduction of costs and a significant and rapid Return on Investment. For more information, call 1-800-200-5430 visit www.VPI-corp.com/PCI
References
The FTC in 2009, annual report of the Federal Trade Commission (March, 2009) The Crimeware Landscape: Malware, Phishing, Identity Theft and Beyond: A Joint Report of the US Department of Homeland Security, SRI International Identity Theft Technology Council, the Anti-Phishing Working Group, and IronKey, Inc. (September, 2006) Symantec Report on the Underground Economy July 07 - June 08, Symantec Corp., (November 2008) Navigating PCI-DSS - Understanding the Intent of the Requirements, Version 2.0 Payment Card Industry (PCI) Data Security Standards, Payment Card Industry (PCI) (October, 2010) 2009 Data Breach Investigation Report, Verizon Business RISK Team Safe and Sound, Processing Telephone Payments Securely, BarclayCard (April, 2010)
Contact VPI at
Info@VPI-corp.com 1.800.200.5430 www.VPI-corp.com
15
The informa tion provided in this white paper is believed to be accurate, but is presented without express or implied warranty and is subject to change without notice.